- `credential_type` `(string: "password")` – Specifies the type of credential that
  will be generated for the role. Options include: `password`, `rsa_private_key`, `client_certificate`.
  See the plugin's API page for credential types supported by individual databases.

- `credential_config` `(map<string|string>: <optional>)` – Specifies the configuration
  for the given `credential_type`.

  The following options are available for each `credential_type` value:

  - `password`
    - `password_policy` `(string: <optional>)` - The [policy](/vault/docs/concepts/password-policies)
      used for password generation. If not provided, defaults to the password policy of the
      database [configuration](/vault/api-docs/secret/databases#password_policy).

  - `rsa_private_key`
    - `key_bits` `(int: 2048)` - The bit size of the RSA key to generate. Options include:
      `2048`, `3072`, `4096`.
    - `format` `(string: "pkcs8")` - The output format of the generated private key
      credential. The private key will be returned from the API in PEM encoding. Options
      include: `pkcs8`.

  - `client_certificate`
    - `common_name_template` `(string: "")` - A [username template](/vault/docs/concepts/username-templating)
       to be used for the client certificate common name.
    - `ca_cert` `(string: "")` - The PEM-encoded CA certificate.
    - `ca_private_key` `(string: "")` - The PEM-encoded private key for the given `ca_cert`.
    - `key_type` `(string: <required>)` - Specifies the desired key type. Options include:
      `rsa`, `ed25519`, `ec`.
    - `key_bits` `(int: 2048)` - Number of bits to use for the generated keys. Options include:
      `2048` (default), `3072`, `4096`; with `key_type=ec`, allowed values are: `224`, `256` (default),
      `384`, `521`; ignored with `key_type=ed25519`.
    - `signature_bits` `(int: 256)` - The number of bits to use in the signature algorithm. Options include:
      `256` (default), `384`, `512`.
